WordPress core contributors released a security update today. All users who have not yet received the automatic update are encouraged to update as soon as possible. WordPress 4.0.1 is a critical security release that provides a fix for a critical cross-site scripting vulnerability, originally reported by Jouko Pynnonen on September 26th.
Sites running WordPress versions 3.9.2 and earlier are affected by the vulnerability. Although installs running 4.0 are not specifically affected, this security update also includes fixes for 23 bugs and eight security issues.
According to the official WordPress version usage stats, only 14.4% of sites are currently running 4.0. This means that the vast majority of WordPress sites and in need of this critical update. A large number of those sites are also running versions that pre-date the automatic background updates that were introduced in WordPress 3.7.
